Archives

Meta

Nmap, 4 Scanning Methods

Why this post

Nmap, the network mapper, is one of the most important tool to a pentester and network/system admins. It can send raw IP packets to local and remote network machines, gets response from the target, and analyze the response.

Mapping network, scanning small and large range of targets, identifying services, predicting firewall configuration, predicting OS of the target, and much more is possible with nmap. It is thus important to not only to understand the output / result of nmap, but also to understand how nmap works, under the hood.

This post will focus on Pro/Con of each scanning methods, when to use what type of scanning methods. Since I’m not an expert (I’m a learning student), I will not go too deep. Most of the information can be found via nmap’s -h help flag, or, the chaper 15 of the nmap book. (https://nmap.org/book/man.html).

Scanning Techniques

SYN Scan

(-sS) The Syn scan is the default scan of nmap. SYN scan would not initiate a full threeway handshake between the attacker and the target, but it will initiate a split threeway handshake. The split threeway handshake involves a “SYN”, “SYN/ACK”, and a “RST” packet. This scan will not open a full connection. Before the connection is made, the attacker will send a RST packet and block the connection.

Open = Port is open for service

Filtered = Port is open, but access is filtered/restricted

Closed = Port is unreachable (there is no service running on that port)

A. Pro

Doesn’t create application layer connection to the target

Doesn’t create application layer log (well configured IDS will log)

Provides information about open, closed, filtered port

B. Cons

Nmap should be ran with privileged access

Can not identify UDP ports.

C. When to use

When the attacker has full control of nmap (attacker uses attacker’s machine)

Default scan. Often used with -sV to find out service version

2. Connect Scan

(-sT) Connect scan use the TCP full threeway handshake, the SYN → SYN + ACK → ACK threeway handshake. If Connect scan cannot establish a full threeway handshake because the port is filtered, Connect scan will just assume that it is “blocked” and will label it as unreachable/closed. Thus, Connect scan will only return the result of open or closed ports.

A. Pros

Uses TCP-based methods, which means ANY user in the machine can use.

Does not need privileged access

B. Cons

Makes a full TCP connection → Applications/services WILL log this.

Only shows open, or, closed ports. Does NOT show filtered ports.

C. When to use

Not much. Maybe when you got inside a target machine and want to scan the internal network, but don’t have privileged access to your current machine.

But then, what’s the use? Your attempt will get logged to every single machine inside the internal network. Sysadmins will know that you are inside an internal network.

3. Stealth scans → FIN Scan (Xmas, Null as well)

(-sF) Sends intentionally mangled single FIN packet to each of the port. If the port responds with RST, that means the port is CLOSED. If the port responds nothing, that means the port is open, or, filtered. This is because often firewalls will just drop/ignore FIN packets without any response.

A. Pros

Not TCP sessions, no TCP connections. Very quiet.

B. Cons

Windows target will just ignore all FIN/Xmas/Null scans and respond with closed ports.

C. When to use

When you need a very quiet scan. Will only show Closed + Open|filtered.

4. ACK Scan

(-sA) ACK scan never determines if a port is open or not. It will only show if a port is filtered or unfiltered by the firewall. ACK scan uses a “ACK” → “RST” packet.
Open and closed ports will return a RST packet; which nmap will then label as an unfiltered port. This means the port is reachable.
If the port doesn’t respond, nmap will label the port as filtered. This usually means there is a firewall dropping/blocking the ACK scan attempt.

C. When to use

Use to make a list of filtered/unfiltered port numbers. See which ports are filtered by firewall.